Introduction to OpenID Connect
•
44 j'aime•18,426 vues
OpenID Connect is a new identity layer on top of OAuth 2.0.
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (6)
Similaire à Introduction to OpenID Connect
Similaire à Introduction to OpenID Connect (20)
Plus de Nat Sakimura
Plus de Nat Sakimura (20)
Dernier
Dernier (20)
Introduction to OpenID Connect
- 1. Connect OpenID OpenID Connect Nat Sakimura Chairman Senior Researcher C6b. New School Identity Frameworks Panel Foundation
- 2. Connect OpenID OAuth 2.0 Identity Layer on top of Base Protocol
- 4. Connect OpenID Identity = set of attributes related to an entity [iso 29115]
- 7. Connect OpenID No direct way to perceive Human
- 9. Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
- 14. Connect OpenID Q Why not just OAuth?
- 15. Connect OpenID OAuth is an Access Granting Protocol Betty’s Profile Alice Cindy Cindy ≠ Betty Alice ≠ Betty
- 16. Connect OpenID Facebook extends OAuth with “signed request” “ID Token” in OpenID Connect
- 20. Connect OpenID Signed Request • Works only with a single identity provider • Proprietary signature format ID Token • Works with multiple identity providers • IETF JSON Web Signature
- 21. Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }
- 22. Connect OpenID Stick with OpenID Connect and not “OAuth Authentication”
- 23. Connect OpenID An Identity Layer provides: • is the user that got authenticated Who • was he authenticated Where • was he authenticated When • was he authenticated How • attributes he can give you What • he is providing them Why
- 29. Connect OpenID Interoperable • openid, profile, email, address, phone Standard scopes • Request object and claims Method to ask for more granular claims • Info about the authenticated user ID Token • Get attributes about the user • Translate the tokens UserInfo endpoint
- 30. Connect OpenID Simple & Mobile Friendly JSON Based REST Friendly In simplest cases, just copy and paste Mobile & App Friendly e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng" }
- 31. Connect OpenID Secure • ISO/IEC 29115 Entity Authentication Assurance • Choice of crypto LoA1 LoA2 LoA3 LoA4
- 32. Connect OpenID Flexible • Through Request Object (JSON) • Data Minimization Granular Request • Does not disclose data recipients to data sources Aggregated Claims • Decentralized Data Storage Distributed Claims
- 33. Connect OpenID Choice of your provider Can be Google, eBay, AOL, Deutsche Telecom etc. Can be your Phone => Self-Issued Provider
- 35. Connect OpenID Name: Alice de Wonderland Mail: alice@example.com Notary: Google. Official Google Seal 株式会 社グー グル印 Name: Alice de Wonderland Mail: alice@example.com Notary: Google. SAML Authentication 1. Who are you. Get me a referral letter. Do not forget about Your email! 2. Plz write me a referral letter。 3. Here you are Alice 4. Here is the certificate. notary Eve Official Google Seal
- 36. Connect OpenID 1. Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house. 2. Can you give me a valet key to my house? 3. Here you are! Alice 4. Her is the key! Pseudo-Authentication using OAuth Apartment Controller Eve
- 37. Connect OpenID OpenID Connect Authentication 1. Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Eve Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal
- 38. Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Eve
- 39. Connect OpenID Applying it to Enterprise model
- 40. Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
- 41. Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
- 42. Connect OpenID ABAC (Attribute Based Access Control) Based on SP800-162 figure on page viii identity Resource Rules
- 43. Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
- 44. Connect OpenID Q What kind of “Identity” (set of attributes) an enterprise needs?
- 45. Connect OpenID Current Standard Claims wont do
- 46. Connect OpenID UserInfo Claims • sub • name • given_name • family_name • middle_name • nickname • preferred_username • profile • picture • website • gender • birthdate • locale • zoneinfo • updated_at • email • email_verified • phone_number • phone_number_verified • address
- 47. Connect OpenID UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }
- 48. Connect OpenID Perhaps we need standard “enterprise” claims
- 50. Connect OpenID SCIM Enterprise User Schema Extension • employeeNumber – Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. • costCenter – Identifies the name of a cost center. organization Identifies the name of an organization. • division – Identifies the name of a division. • department – Identifies the name of a department. • manager – The User's manager. A complex type that optionally allows Service Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
- 52. Connect OpenID Perhaps we need standard “enterprise” claims
- 53. Connect OpenID Q When shall I start using OpenID Connect?
- 54. Connect OpenID Timeline 2nd Implementers Draft Public Review (45 days) 2nd Implementers Draft Vote (14 days) Final Review (60 days) Final We are here! December 2013
- 56. Connect OpenID OAuth and OpenID Connect: In the Trenches Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E to be continued at …
- 59. Connect OpenID Working Group Members • Key working group participants: – Nat Sakimura – Nomura Research Institute – Japan – John Bradley – Ping Identity – Chile – Breno de Medeiros – Google – US – Axel Nennker – Deutsche Telekom – Germany – Torsten Lodderstedt – Deutsche Telekom – Germany – Roland Hedberg – Umeå University – Sweden – Andreas Åkre Solberg – UNINETT – Norway – Chuck Mortimore – Salesforce – US – Brian Campbell – Ping Identity – US – George Fletcher – AOL – US – Justin Richer – Mitre – US – Nov Matake – Independent – Japan – Mike Jones – Microsoft – US • By no means an exhaustive list!
- 60. Connect OpenID Design Philosophy Simple Things Simple Complex Things Possible
- 61. Connect OpenID Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones
- 62. Connect OpenID How We Make It Simple • Build on OAuth 2.0 • Use JavaScript Object Notation (JSON) • Build only the pieces that you need • Goal: Easy implementation on all modern development platforms
- 63. Connect OpenID Complex Things Possible Encrypted Claims Aggregated Claims Distributed Claims
- 64. Connect OpenID A Look Under the Covers • ID Token • Claims Requests • UserInfo Claims • Example Protocol Messages
- 65. Connect OpenID OpenID Connect Authentication 1. Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Bob Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Access Token ID Token
- 66. Connect OpenID ID Token • JWT representing logged-in session • Claims: – iss – Issuer – sub – Identifier for subject (user) – aud – Audience for ID Token – iat – Time token was issued – exp – Expiration time – nonce – Mitigates replay attacks – at_hash – Left hash of the access token – azp – Authorized Party
- 67. Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "alice", "aud": "https://bob.example.com", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng", "azp": "https://cindy.example.com/" }
- 68. Connect OpenID at_hash makes ID Token a detached signature for the access token
- 69. Connect OpenID azp allows token to be used by another party Site X Cindy Bob ID Token Access Token
- 70. Connect OpenID Using Access Token only for Authentication is Dangerous. 1. Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Butler Access Token Eve
- 71. Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Bob
- 73. Connect OpenID Distributed Claims Identity Provider Signed Claims Relying Party Claim Refs Data Source Data Source
- 74. Connect OpenID Claims Requests • Basic requests made using OAuth scopes: – openid – Declares request is for OpenID Connect – profile – Requests default profile info – email – Requests email address & verification status – address – Requests postal address – phone – Requests phone number & verification status – offline_access – Requests Refresh Token issuance • Requests for individual claims can be made using JSON “claims” request parameter
- 76. Connect OpenID You can register it at registration time : request_uri Personally Recommended
- 78. Connect OpenID Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj
- 79. Connect OpenID UserInfo Request Example GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM
- 81. Connect OpenID Resources • OpenID Connect – http://openid.net/connect/ • OpenID Connect Working Group Mailing List – http://lists.openid.net/mailman/listinfo/openid-specs-ab • OpenID Connect Interop Wiki – http://osis.idcommons.net/ • OpenID Connect Interop Mailing List – http://groups.google.com/group/openid-connect-interop • Mike Jones’ Blog – http://self-issued.info/ • Nat Sakimura’s Blog – http://nat.sakimura.org/ • John Bradley’s Blog – http://www.thread-safe.com/
- 82. Connect OpenID Current Status • Waiting for dependencies to be completed • JWS, JWE, JWA, JWK IETF JOSE WG • JSON Web Token (JWT) IETF OAuth WG • WebFinger IETF Apps WG
- 83. Connect OpenID Interop testing underway AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart 120+ feature tests 14 implementations